# Enter the Matrix (Ransomware) ###### Luca Nagy Threat Researcher, Sophos Labs ----- ## Execution path ## Execution path ###### -n parameter Information collection, encryption Searching shared folders (NetShareEnum) „OurMainMutex999net” ----- ## Information collection ###### V1 V2 March 2018 ###### V1 V2 V2 OS version check GetSidSub (minor, major) Authority 32 bit 64 bit Integrity level EqualSid check from SID Well-known SIDs March 2018 ----- ## Resources ## Resources ###### CFG, CHAK, DSHC, DVCLAL, HTA, HX64, HX86, LLST MPUB, NDNF, PACKAGEINFO, PLATFORMTARGETS, PRL, RDM, TAKE, WALL, WVBS ##### ChaCha20 stream cipher ###### ChaCha matrix - initial state ##### CHAK/KN ###### Key, nonce Constant Key Nonce ----- ## ChaCha20 QuarterRound ###### ARX operations cipher_text = plain_text XOR chacha_stream(key, nonce) plain_text = cipher_text XOR chacha_stream(key, nonce) Resource section decoder: https://github.com/lucanag/matrix_res_dec ----- ##### HX64, HX86 or HN ##### HX64, HX86 or HN ###### V2 V3 #### „HN” ###### Loading the HN resource UPX packed #### „HX86” ###### Aug 2018 #### „HX64” ----- ##### NDNF CFG LLST ###### 2029: Azeri - Cyrill 1068: Azeri - Latin 1067: Armenian 1059: Belarusian 1088: Krygyz – Cyrillic ##### U ###### 2115: Uzbek – Cyrillic 1091: Uzbek – Latin 1049: Russian 1058: Ukrainian 1092: Tatar – Russia ##### NDNF CFG PRL LLST ###### 2029: Azeri - Cyrill 2115: Uzbek – Cyrillic 1068: Azeri - Latin 1091: Uzbek – Latin 1067: Armenian 1049: Russian 1059: Belarusian 1058: Ukrainian 1088: Krygyz – Cyrillic 1092: Tatar – Russia ----- ##### DSHC ###### Handle Viewer ##### DSHC ###### HKLM\SOFTWARE\Microsoft\Wind reg Thread ows\CurrentVersion\Run Thread ###### cmd Thread WMIC Shadowcopy delete /nointeractive Thread ###### vssadmin Thread Delete shadows /all /quiet ##### TAKE - .cmd file WVBS - .vbs file ###### Clears the file read-only, attrib archive or system-file HKCU\Control Panel\Desktop\Wallpaper attributes calc Modifies the DACL ##### WALL - .jpg file Thread ###### cmd takeown Recovers access to a file taskkill Kills handles ----- ## Encryption ###### 40 byte random to 64 byte key ChaCha key and stream nonce CryptGenRandom() QuarterRound XOR + filesize, ChaCha key and Encrypting Embedded Generated Generated nonce encrypted by RSA- RSA-1536 RSA-1024 RSA-1024 1024 public key public private public + RSA-1024 private key encrypted by RSA-1536 RSA-1536 public key private + filename encrypted by Known only by the ChaCha ransomware authors ----- ## Decryption ## Decryption ###### Generated RSA - 1024 private ----- ## Communication with C2 ## Communication with C2 ###### Aug 2018 Amount of information sent May to C2 2018 Apr 2018 March 2018 ----- ## Ransom payment method ## Ransom payment method ##### HTL - .htl file RDM - .rtf ----- ## Ransom payment method ## Ransom payment method ###### False statement ----- 10 ## Conclusion 9 8 30 7 ##### Submissions of Matrix Ransomware 6 ###### [Yourencrypt@tutanota.com] 5 4 25 3 2 1 0 ###### [RestorFile@tutanota.com] 20 15 ###### [oken@tutanota.com] EMAN50 FOX [Files4463@tuta.io] [Bitmine8@tutanota.com] KOK8 10 FASTB ###### [Vfemacry@mail-on.us] EMAN NEWRAR ANN CORE FASTBOB CORE [d3336666@tutanota.com] KOK08 MTXLOCK 5 [RestoreFile@qq.com] THDA ###### RAD 0 ###### MARCH-18 APRIL-18 JULY-18 AUGUST-18 SEPTEMBER-18 MAY-18 JUNE-18 ----- ### Thank you for your attention! ###### Email:luca.nagy@sophos.com Twitter:@luca_nagy_ -----